US10221944B2 - Vehicle-mounted control device or vehicle-mounted control system - Google Patents

Vehicle-mounted control device or vehicle-mounted control system Download PDF

Info

Publication number
US10221944B2
US10221944B2 US15/319,025 US201515319025A US10221944B2 US 10221944 B2 US10221944 B2 US 10221944B2 US 201515319025 A US201515319025 A US 201515319025A US 10221944 B2 US10221944 B2 US 10221944B2
Authority
US
United States
Prior art keywords
atcu
relay
electronic control
control device
power supply
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/319,025
Other languages
English (en)
Other versions
US20170146118A1 (en
Inventor
Satoru Okubo
Kenji Masuda
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Astemo Ltd
Original Assignee
Hitachi Automotive Systems Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Automotive Systems Ltd filed Critical Hitachi Automotive Systems Ltd
Assigned to HITACHI AUTOMOTIVE SYSTEMS, LTD. reassignment HITACHI AUTOMOTIVE SYSTEMS, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MASUDA, KENJI, OKUBO, SATORU
Publication of US20170146118A1 publication Critical patent/US20170146118A1/en
Application granted granted Critical
Publication of US10221944B2 publication Critical patent/US10221944B2/en
Assigned to HITACHI ASTEMO, LTD. reassignment HITACHI ASTEMO, LTD. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: HITACHI AUTOMOTIVE SYSTEMS, LTD.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F16ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
    • F16HGEARING
    • F16H61/00Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
    • F16H61/12Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/03Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for supply of electrical power to vehicle subsystems or for
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F16ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
    • F16HGEARING
    • F16H61/00Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
    • F16H61/0003Arrangement or mounting of elements of the control apparatus, e.g. valve assemblies or snapfittings of valves; Arrangements of the control unit on or in the transmission gearbox
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F16ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
    • F16HGEARING
    • F16H61/00Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
    • F16H61/12Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
    • F16H2061/1256Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures characterised by the parts or units where malfunctioning was assumed or detected
    • F16H2061/1292Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures characterised by the parts or units where malfunctioning was assumed or detected the failing part is the power supply, e.g. the electric power supply

Definitions

  • the present invention relates to a vehicle-mounted electronic control device.
  • each of these electronic control devices is supplied with driving power from a power supply such as a battery. Also, between the power supply and the electronic control device, a power supply relay is normally inserted as a means for supplying/breaking the driving power. Also, in a target device to be controlled by the electronic control device, a power supply relay or a circuit for supplying/breaking the power is generally inserted.
  • Each of the electronic control devices needs to perform control to guide a corresponding system to a safe direction in a case in which any abnormality occurs.
  • the electronic control device detects the abnormality by means of a monitor microcomputer or a main microcomputer of its own and breaks the power supply relay of the target device or the power supply circuit to move to a fail-safe state.
  • a main microcomputer for throttle control, ignition control, and fuel injection control makes a self-diagnosis in terms of an input function, an operation function, an output function, and a storage function to confirm whether or not the main microcomputer itself is normal.
  • the electronic control device has also implemented therein a monitor device such as a sub-microcomputer to monitor a functional failure of the main microcomputer.
  • the sub-microcomputer detects a failure, the sub-microcomputer breaks a power supply relay of an electronic throttle valve that the electronic control device is controlling and physically breaks an output unit of a fuel injection valve.
  • the target device can reliably be brought to the fail-safe state by the monitor device such as the sub-microcomputer.
  • the monitor device such as the sub-microcomputer.
  • an electronic control device that collectively controls power supply relays connected to a plurality of electronic control devices respectively fulfilling predetermined functions and connected through a LAN and detects whether or not a communication state is present depending on the state of each of the power supply relays to determine whether or not the power supply relay is failed (refer to PTL 2 and the like).
  • the electronic control device must have implemented therein the monitor device such as the sub-microcomputer Additional implementation will lead to a cost increase of the electronic control device.
  • a functional failure can be detected by a self-diagnosis.
  • transition to the fail-safe state cannot be achieved.
  • PTL 2 employs a method in which a failure is detected by means of communication with a vehicle-mounted electronic device connected to a power supply via a different relay from a relay targeted for failure detection.
  • a failure is detected by means of communication with a vehicle-mounted electronic device connected to a power supply via a different relay from a relay targeted for failure detection.
  • PTL 2 also focuses on a method for detecting an abnormality and does not describe a behavior (fail-safe process) after abnormal detection as a system.
  • the present invention is accomplished by taking such problems as mentioned above into consideration thereof, and an object thereof is to provide a technique for detecting a failure of a power supply breaker circuit of an electronic control device for a vehicular automatic transmission and, in a case in which an upper electronic control device performs abnormality detection and detects an abnormality, safely moving to a fail-safe state without depending on the electronic control device for the vehicular automatic transmission.
  • a monitor system for monitoring an electronic control device for a vehicular automatic transmission includes an upper electronic control device (hereinbelow, a monitor device) physically independent, for detecting an abnormality of the ATCU, a power supply means for supplying the ATCU and the monitor device with driving power, a power supply means for supplying the monitor device with driving power in a case in which an activation switch signal (hereinbelow, an IGNSW) to be input from outside is in an active level, a first relay (hereinbelow, an IGN relay) provided between the power supply means and the monitor device for supplying/breaking power to the monitor device, a second relay (hereinbelow, an ATCU relay) provided on the downstream of the IGN relay for supplying/breaking driving power to the ATCU based on determination of the monitor device regarding whether or not the driving power is to be supplied to the ATCU, and a communication line for making a diagnosis in the ATCU and the monitor device.
  • the monitor device turns ON/OFF the ATCU
  • the monitor device in a case in which the IGNSW changes from a low level to an active level, the monitor device makes a diagnosis of a failure of the ATCU relay before normal control is performed.
  • the monitor device makes a self-diagnosis of a microcomputer thereof in a case in which the IGNSW changes from a low level to an active level, and only when a diagnosis result is normal, the monitor device turns ON the ATCU relay to supply the ATCU with electric power.
  • the ATCU is activated and then makes a self-diagnosis of a microcomputer thereof, and only when a diagnosis result is normal, the ATCU transmits a breaker circuit diagnosis request to the upper electronic control device by means of the communication line.
  • the monitor device in a case in which the monitor device has received the breaker circuit diagnosis request from the ATCU by means of the communication line, the monitor device causes the ATCU relay to be turned OFF to break electric connection to the ATCU.
  • the ATCU In the ATCU according to another aspect, the ATCU, electric connection to which is broken, detects communication loss with the monitor device by means of the communication line.
  • the monitor device in a case in which the monitor device detects the communication loss, the monitor device determines the power supply breaker circuit diagnosis of the ATCU is normal. Conversely, in a case in which communication with the ATCU is established although the ATCU relay is caused to be turned OFF, the monitor device determines the power supply breaker circuit diagnosis is abnormal.
  • the ATCU in a case in which the ATCU has received information of the power supply breaker circuit diagnosis abnormality from the monitor device by means of the communication line, the ATCU moves to a fail-safe state such as a standby state not to perform control of the vehicular automatic transmission, that is, oil pressure control of a solenoid valve.
  • a fail-safe state such as a standby state not to perform control of the vehicular automatic transmission, that is, oil pressure control of a solenoid valve.
  • another electronic control device can be regarded as a monitor device of the ATCU, and the monitoring-side other electronic control device controls a power supply relay of the ATCU.
  • the monitor device turns OFF the ATCU relay at intended time and confirms a communication state from the ATCU through this operation to enable an ON/OFF failure of the ATCU relay to be detected.
  • the monitor device can turn OFF the power supply relay of the ATCU to stop operations of the ATCU.
  • the monitor device can turn OFF the power supply relay of the ATCU to stop operations of the ATCU.
  • the monitor device transmits failure information to the ATCU, and the ATCU can carry out a fail-safe process such as transition to a standby state by the ATCU itself.
  • another electronic control device implemented on the vehicle acts as a monitor device to dispense with implementation of a monitor device on the ATCU itself, which is advantageous to system cost reduction.
  • FIG. 1 illustrates an example of a monitor system as an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a monitoring procedure between an ELOP and an ATCU at the time of first activation.
  • FIG. 3 is a flowchart illustrating a monitoring procedure between the ELOP and the ATCU at the time of a normal operation.
  • FIG. 4 illustrates a power supply breaker circuit diagnosis procedure
  • FIG. 5 is a timing chart of the power supply breaker circuit diagnosis at the time of the normal operation (first activation).
  • FIG. 6 is a timing chart of the power supply breaker circuit diagnosis at the time of recovery during SSOFF delay.
  • FIG. 7 is a system configuration diagram illustrating conventional ELOP-ATCU relationship.
  • FIG. 8 is a flowchart illustrating a procedure for calculating answer data in the ATCU to question data from the ELOP.
  • FIGS. 1 to 3 A first embodiment of the present invention will be described with reference to FIGS. 1 to 3 .
  • FIG. 1 illustrates the first embodiment of the present invention in which a transmission control device (hereinbelow referred to as an ATCU) 1 for controlling a vehicular automatic transmission is a target to be monitored.
  • the target to be monitored may be an electronic control device for controlling another vehicle-mounted electric component such as an engine, a seat belt, and a motor.
  • FIG. 1 is a schematic view of a monitor system for monitoring the ATCU 1 in which an electric oil pump control device (hereinbelow referred to as an ELOP) 2 is a monitor device.
  • the monitor system includes the ATCU 1 , which is a target to be monitored, the ELOP 2 , which is physically independent from the ATCU 1 and which acts as a monitoring side, an IGN relay 3 for supplying/breaking driving power to the ELOP 2 , an ATCU relay 4 for undergoing ON/OFF control by means of the ELOP 2 and supplying/breaking driving power to the ATCU 1 , a power supply (may be a battery or a not-illustrated power generator) 5 for supplying driving power to respective electronic control devices, an IGNSW 6 for undergoing ON/OFF operations of a driver and controlling whether or not driving power is supplied to the ELOP 2 and the respective electronic control devices, and a solenoid valve 7 for connecting/disconnecting a crutch of the automatic transmission in response to an instruction from the ATCU 1
  • the ATCU 1 includes a microcomputer 8 serving as a control circuit for switching calculation and output of the driving amount of and to one of a plurality of solenoid valves 7 to calculation and output of the driving amount of and to another one, a power supply circuit 9 for converting supply voltage from the power supply 5 into driving voltage and supplying the driving voltage to the microcomputer 8 , a communication I/F circuit 10 for communicating with the ELOP 2 , and a driver circuit 11 for converting the driving amount to the solenoid valve 7 calculated in the microcomputer 8 into voltage.
  • a microcomputer 8 serving as a control circuit for switching calculation and output of the driving amount of and to one of a plurality of solenoid valves 7 to calculation and output of the driving amount of and to another one
  • a power supply circuit 9 for converting supply voltage from the power supply 5 into driving voltage and supplying the driving voltage to the microcomputer 8
  • a communication I/F circuit 10 for communicating with the ELOP 2
  • a driver circuit 11 for converting the driving amount to the solenoid valve 7
  • the ELOP 2 includes a microcomputer 12 serving as a control circuit for calculating and outputting the driving amount to an oil pump for pressurizing operating oil of the automatic transmission, a power supply circuit 14 for converting supply voltage from the power supply 5 into driving voltage and supplying the driving voltage to the microcomputer 12 , a communication I/F circuit 13 for communicating with the ATCU 1 , and an ATCU relay control circuit 15 for turning ON/OFF the ATCU relay 4 to control electric power to be supplied to the ATCU 1 , which is an external electronic control device.
  • the ATCU relay control circuit 15 a transistor is illustrated in FIG. 1 .
  • the ATCU relay control circuit 15 does not need to be a transistor inside the ELOP 2 .
  • an output signal line adapted to cause the microcomputer 12 to drive the ATCU relay 4 functions as the ATCU relay control circuit 15 .
  • the communication I/F circuit 10 and the driver circuit. 11 implemented on the ATCU 1 are directly connected to the ATCU relay 4 . Also, the microcomputer 8 is also provided on the downstream side of the ATCU relay 4 via the power supply circuit 9 .
  • a path through which electric power is supplied from the power supply 5 not via the IGN relay 3 or the ATCU relay 4 and a path through which electric power is supplied from the power supply 5 via the IGN relay 3 and the ATOP relay 4 are respectively connected.
  • electric power is supplied to the power supply circuit 9 when the IGNSW 6 is turned ON by the driver to cause the IGN relay 3 to be turned ON, and the ATCU relay 4 is turned on by the ELOP 2 .
  • the power supply circuit 9 thereafter supplies an electronic part such as the microcomputer 8 with predetermined driving voltage.
  • the microcomputer 8 receives the driving voltage from the power supply circuit 9 , performs a predetermined reset process, and starts control of the solenoid valve 7 .
  • the power supply circuit 9 moves to a self shut-off period through a predetermined self shut-off delay period.
  • the power supply circuit 9 supplies driving voltage to the microcomputer 8 until an instruction from the microcomputer 8 is provided with use of voltage to be supplied from the power supply 5 not via the various relays.
  • the microcomputer 8 performs processes such as storage of various learned values during the self shut-off period and instructs the power supply circuit 9 to stop supply of the driving voltage to end the self shut-off period.
  • the self shut-off delay period is a period of a system standby state, and the ATCU 1 is in a non-operated state during the period.
  • the two kinds of power supply paths are connected in a similar manner.
  • abnormality detection of the ATCU 1 is performed at the time of system activation and at the time of a regular process, and when any abnormality occurs, the monitor device turns OFF the ATCU relay 4 as a fail-safe process.
  • FIG. 9 is a schematic view of a conventional system. Unlike FIG. 1 , the conventional system does not include the ATCU relay 4 , the ATCU relay control circuit 15 , and peripheral circuits thereof.
  • FIG. 2 illustrates a process flow of the ATCU 1 and the ELOP 2 at the time of system activation.
  • the IGNSW 6 is turned ON, the IGN relay 3 is turned ON, electric power is supplied to the power supply circuit 14 of the ELOP 2 , and the microcomputer 12 is activated.
  • the activated microcomputer 12 makes a self-diagnosis to determine whether or not an internal function has a failure (S 21 ).
  • Specific contents of this diagnosis are a ROM/RAM diagnosis, a register diagnosis, and the like.
  • transition to the fail-safe state is carried out (S 22 ).
  • diagnosis result is OK
  • the microcomputer 12 obtains a voltage state of the IGNSW 6 (S 23 ).
  • the ATCU relay 4 is turned ON to activate the ATCU 1 (S 26 ).
  • the ATCU 1 After activation of the ATCU 1 , the ATCU 1 makes a self-diagnosis to determine whether or not an internal function of the microcomputer 8 has a failure (S 27 ). Specific contents of this diagnosis are a ROM/RAM diagnosis, a register diagnosis, and the like.
  • transition to the fail-safe state is carried out (S 28 ).
  • diagnosis result is OK
  • the ATCU monitor system is determined to be normal, and transition to normal control is carried out (S 29 ).
  • the fail-safe control in this flowchart is to take control so that transition to a standby state and a reprogramming wait state may be carried out by the microcomputer 12 itself, and so that no operations may be performed until the IGNSW 6 is turned OFF.
  • FIG. 3 illustrates a process flow of the ATCU 1 and the ELOP 2 at the time of normal control after system activation.
  • the ELOP 2 receives the self-diagnosis result of the ATCU 1 from the ATCU 1 with use of a communication means (a CAN communication using the communication I/F circuits 10 and 13 in this example) (S 31 ).
  • a communication means a CAN communication using the communication I/F circuits 10 and 13 in this example
  • Specific contents of this self-diagnosis are not only functional diagnoses inside the microcomputer such as a ROM/RAM 4 diagnosis and a register diagnosis but also functional diagnoses of the ATCU 1 as a main body.
  • This self-diagnosis is a diagnosis made by the ATCU 1 itself.
  • the ELOP 2 makes an OK/NG determination based on the self-diagnosis result from the ATCU 1 (S 32 ). In a case in which the diagnosis result is NG, the ELOP 2 moves to fail-safe control. The ELOP 2 turns OFF the ATCU relay 4 to break electric connection to the ATCU 1 (S 33 ). In this case, since the ATCU 1 recognizes the abnormal state of its own, wiring may be performed so that not the ELOP 2 but the ATCU 1 itself can turn the ATCU relay 4 OFF.
  • the ELOP 2 transmits question data for detecting a functional failure of the microcomputer of the ATCU 1 , more specifically, a failure of an operator of the microcomputer, to the ATCU 1 by means of the CAN communication (S 34 ).
  • the ATCU 1 generates answer data with use of the operator of the microcomputer 8 based on the question data received from the ELOP 2 (S 35 ) and transmits the answer data back to the ELOP 2 (S 36 ).
  • the ELOP 2 makes an OK/NG determination based on the answer data received from the ATCU 1 (S 37 ). In a case in which the diagnosis result is NG, the ELOP 2 moves to fail-safe control. The ELOP 2 turns OFF the ATCU relay 4 to break electric connection to the ATCU 1 (S 38 ).
  • the ELOP 2 determines that the ATCU 1 is normal and continues normal control (S 39 ). Due to the above diagnoses, the ELOP 2 can diagnose an abnormal state that the ATCU 1 itself cannot determine.
  • a watchdog timer method may be employed, in which the ELOP 2 monitors a signal periodically transmitted from the ATCU 1 via the CAN communication.
  • the fail-safe control in this flowchart is control in which the microcomputer 12 of the ELOP 2 operates the ATCU relay control circuit 15 to turn OFF the ATCU relay 4 .
  • an electronic control device connected to the ATCU 1 via the network functions as a monitor device to enable a failure and a functional failure of the microcomputer or the like of the ATCU 1 to be detected. That is, it is possible to provide the monitor system capable of accurately detecting a failure of an electronic control device and capable of reliable transition to the fail-safe state without requiring a change in the internal configuration of the current electronic control device and with a minimum of system modification.
  • the functions of the ATCU 1 that is, operations of the solenoid valve 7 and network communication, can be stopped by turning OFF the ATCU relay 4 on the side of the ELOP 2 serving as a monitor device.
  • the vehicle travels with the automatic transmission being in a direct gear state, it is possible to prevent enormous damage, such as an interlock caused by being unable to turn OFF the power supply relay due to runaway of the ATCU 1 , from being generated.
  • another electronic control device implemented on the vehicle acts as a monitor device to dispense with implementation of a monitor device on the ATCU 1 itself, which is advantageous to system cost reduction.
  • the ATCU 1 is implemented integrally with the automatic transmission, there are limitations to the size and the implementation area of the ATCU. According to the present invention, such limitations can be satisfied.
  • the present invention is not limited to the monitor system of the ATCU and can be applied to an electronic control device having a function of bringing a vehicle in a safe direction by causing operations of the electronic control device to be stopped.
  • FIGS. 4 and 5 a second embodiment will be described with reference to FIGS. 4 and 5 .
  • a power supply breaker circuit diagnosing technique by means of a monitor device will be described.
  • the system configuration described in FIG. 1 is available, and description of the system configuration is thus omitted.
  • the IGNSW 6 is turned ON, the IGN relay 3 is turned ON, electric power is supplied to the power supply circuit 14 of the ELOP 2 , and the microcomputer 12 is activated.
  • the fail-safe control in this step is to take control so that transition to a standby state and a reprogramming wait state may be carried out by the microcomputer 12 itself, and so that no operations may be performed until the IGNSW 6 is turned OFF.
  • the ATCU relay 1 is turned ON to activate the ATCU 1 (S 206 ).
  • the ATCU 1 After activation of the ATCU 1 , the ATCU 1 makes a self-diagnosis to determine whether or not an internal function of the microcomputer 8 has a failure (S 207 ). Specific contents of this diagnosis are a ROM/RAM diagnosis, a register diagnosis, and the like. In a case in which the diagnosis result is NG, transition to the fail-safe state is carried out (S 208 ). In a case in which the diagnosis result is OK, the ATCU system is determined to be normal, and transition to a breaker circuit diagnosis of the ATCU relay 1 is carried out.
  • the ATCU 1 transmits a breaker circuit diagnosis start request to the ELOP 2 (S 209 ).
  • the ELOP 2 transmits a question for diagnosing a microcomputer function of the ATCU 1 (S 211 ).
  • the ELOP 2 sets an error counter that is to be counted up each time a false answer is received from the ATCU 4 to a threshold value at which an abnormality will be determined when one more false answer is received.
  • the ATCU 1 receives the question from the ELOP 2 (S 212 ) and calculates this question in the microcomputer 8 to prepare an answer.
  • the ATCU 1 prepares a false answer on purpose (S 213 ).
  • the ATCU 1 transmits the false answer to the ELOP 2 (S 214 ).
  • the ELOP 2 that has received the false answer (S 215 ) counts up the error counter to cause an abnormality to be determined, determines that the ATCU 1 has a functional failure (S 216 ), and breaks (OFF) the ATCU relay 4 as the fail-safe operation (S 217 ).
  • FIG. 8 an example of a method for preparing a question for diagnosing a microcomputer function of the ATCU 1 is illustrated in FIG. 8 .
  • a question received from the ELOP is subject to a questioned part diagnosis and a control part diagnosis to cause answer data to be generated.
  • question data from the ELOP is first extended from 8 bit to 32 bit, and a self-diagnosis is made to determine whether the question data is normally extended.
  • control part diagnosis a basic instruction diagnosis, an arithmetic operation, a logic operation, process control, and data transfer are executed in this order, and a set of commands used in the operator of the microcomputer is all used to prepare answer data.
  • the answer data is returned from 32 bit to 8 bit to cause a reversal value of the question data to correspond to the answer data.
  • the ATCU relay 4 Since the ATCU relay 4 is broken, the power of the communication I/F circuit 10 connected to the downstream of the relay is broken, and communication with the ELOP 2 is lost. That is, changes occur in communication data.
  • the ELOP 2 Since the ELOP 2 has previously received the breaker circuit diagnosis request, the ELOP 2 determines that the breaker circuit diagnosis is in progress in the current phase and detects communication loss from the ATCU 1 (S 218 ).
  • the ATCU 1 obtains voltage supplied from the power supply 5 via the IGN relay 3 and the ATCU relay 4 .
  • the ATCU 1 determines that the voltage reaches an OFF threshold value of the IGNSW 6
  • transition to a self shut delay process in which the ATCU 1 is operated by voltage supplied from the power supply 5 not via the IGN relay 3 or the ATCU relay 4 is carried out (S 219 ).
  • the fail-safe control in this step is to take control so that transition to a standby state and a reprogramming wait state may be carried out by the microcomputer 8 itself, and so that no operations may be performed until the IGNSW 6 is turned OFF.
  • the ELOP 2 regards the breaker circuit diagnosis as being normal
  • the ELOP 2 turns ON the ATCU relay 4 again. (S 223 ), reactivates the ATCU 1 , and moves to normal control (S 224 ).
  • the ATCU relay 4 is turned ON again during the self shut-off delay process, and the ATCU 1 can thus move to normal control before the microcomputer 8 completely stops. Accordingly, the diagnosis of the power supply breaker circuit by means of the ELOP 2 can be made without completely stopping the microcomputer 8 of the ATCU 1 .
  • the ELOP 2 determines that the ATCU relay 1 is fixed to the ON state and regards the breaker circuit diagnosis as being abnormal (S 225 ).
  • the ELOP 2 regards the breaker circuit diagnosis as being abnormal, the ELOP 2 transmits abnormality information to the ATCU 1 (S 226 ), and the ATCU 1 moves to the fail-safe state.
  • the fail-safe control in this step is to take control so that transition to a standby state and a reprogramming wait state may be carried out by the microcomputer 8 itself, and so that no operations may be performed until the IGNSW 6 is turned OFF.
  • FIG. 6 is a timing chart illustrating a process to deal with low voltage of the driving power supply after transition to normal control (regular process) after the breaker circuit diagnosis.
  • the TCU RLY located on the downstream of the IGN RLY is almost simultaneously turned OFF.
  • the ATCU is restarted and can return to the regular process without making a self-diagnosis process (initialization process).
  • the monitor system for monitoring an electronic control device includes monitor device physically independent for detecting an abnormality of an electronic control device to be monitored, a power supply means for supplying the electronic control device and the monitor device with driving power, a power supply means for supplying the monitor device with driving power in a case in which an activation switch signal to be input from outside is in an active level, a first relay provided between the power supply means and the monitor device for supplying/breaking power to the monitor device, a second relay provided on the downstream of the first relay for supplying/breaking driving power to the electronic control device based on determination of the monitor device regarding whether or not the driving power is to be supplied to the electronic control device, and a communication line for making a diagnosis by means of communication between the electronic control device and the monitor device.
  • the electronic control device to be monitored may include a power supply circuit for outputting voltage to operate a microcomputer in a case in which the second relay is in an ON state due to an activation request from the monitor device, the microcomputer operated by voltage output from the power supply circuit, a communication circuit activated by an activation request signal from the monitor device, and a driver circuit for a solenoid valve activated by an activation request signal from the monitor device.
  • the monitor device may at least include a power supply circuit for outputting voltage to operate a microcomputer of the monitor device in a case in which the activation switch signal is in the active level, the microcomputer operated by voltage output from the power supply circuit, and a communication circuit activated by power supplied from the power supply circuit.
  • the monitor device may operate the microcomputer of the monitor device in a case in which the activation switch signal is in the active level and make a self-diagnosis of the microcomputer at the time of activation and a regular process, and in a case in which the monitor device confirms that the microcomputer is normally operated, the monitor device may turn ON the second relay.
  • the monitor device may operate the microcomputer of the monitor device in a case in which the activation switch signal is in the active level and make a self-diagnosis or the microcomputer at the time of activation and a regular process, and in a case in which the monitor device confirms that the microcomputer is abnormal, the monitor device may transmit abnormality information to the control device to be monitored via the communication circuit and turn OFF the second relay.
  • the electronic control device to be monitored may operate the microcomputer in a case in which the second relay is turned ON by an activation request from the monitor device and make a self-diagnosis of the microcomputer at the time of activation, and in a case in which the electronic control device determines that the microcomputer is abnormal, transition to a standby state may be carried out not to perform control of a vehicular automatic transmission or the like (e.g., oil pressure control of the solenoid valve).
  • a vehicular automatic transmission or the like e.g., oil pressure control of the solenoid valve
  • the electronic control device to be monitored operates the microcomputer in a case in which the second relay is in the ON state and performs control of the vehicular automatic transmission or the like (e.g., oil pressure control of the solenoid valve) at the time of a regular process.
  • the electronic control device may make a self-diagnosis of the microcomputer even at the time of the regular process, and in a case in which the electronic control device determines that the microcomputer is abnormal, the electronic control device may transmit abnormality information to the monitor device via the communication circuit, stop output to the communication circuit, and then cause the microcomputer to move to a standby state not to perform control of the vehicular automatic transmission or the like.
  • the monitor device may transmit question data for diagnosing an operating function in the microcomputer to the electronic control device to be monitored via the communication circuit at the time of the regular process.
  • the electronic control device to be monitored may receive the question data transmitted from the monitor device and prepare answer data by executing a program previously incorporated in the microcomputer at the time of the regular process.
  • the electronic control device to be monitored may transmit the answer data to the monitor device via the communication circuit at the time of the regular process.
  • the monitor device may receive the answer data from the electronic control device to be monitored and determine based on the answer data whether or not the operating function in the microcomputer of the electronic control device to be monitored is normal.
  • the monitor device may cause the second relay to be turned OFF in a case in which the monitor device determines that the diagnosis result is abnormal.
  • the electronic control device to be monitored may have a configuration in which, in a case in which the second relay is caused to be turned OFF, the electronic control device can break electric connection to the communication circuit and the driver circuit for the solenoid valve before power to be supplied to the microcomputer is broken.
  • another electronic control device can be regarded as a monitor device of the ATCU.
  • a monitoring-side electronic control device transmits a question for diagnosing a function of a main microcomputer to an electronic control device to be monitored, and the electronic control device to be monitored calculates an answer to the question and transmits the answer to the monitoring-side electronic control device. In this manner, it is possible to detect a failure of the microcomputer in the electronic control device to be monitored.
  • the monitoring-side electronic control device detects an abnormality of the electronic control device to be monitored, the monitoring-side electronic control device can turn OFF the power supply relay of the electronic control device to be monitored to stop operations of the electronic control device to be monitored, that is, operations of the solenoid valve in a case of control of an automatic transmission.
  • the monitoring-side electronic control device since the vehicle travels with the automatic transmission being in a direct gear state, it is possible to prevent enormous damage, such as an interlock caused by being unable to turn OFF the power supply relay due to runaway of the electronic control device to be monitored, from being generated.
  • the monitor device transmits failure information to the electronic control device to be monitored, and the electronic control device to be monitored can carry out a fail-safe process such as transition to a standby state by the electronic control device to be monitored itself.
  • another electronic control device implemented on the vehicle acts as a monitor device to dispense with implementation of a monitor device on the electronic control device to be monitored itself, which is advantageous to system cost reduction.
  • a breaker circuit diagnosis can easily be achieved by making an upper electronic control device control a power supply relay on condition that any communication means is provided.
  • the present invention can be applied to an electronic control device which, in a case of a functional abnormality of the electronic control device to be monitored, has a function of bringing a vehicle in a safe direction by making the upper electronic control device break (OFF) the power supply relay.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Control Of Transmission Device (AREA)
US15/319,025 2014-06-18 2015-06-08 Vehicle-mounted control device or vehicle-mounted control system Active 2035-09-21 US10221944B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2014-124883 2014-06-18
JP2014124883 2014-06-18
PCT/JP2015/066433 WO2015194407A1 (ja) 2014-06-18 2015-06-08 車載制御装置または車載制御システム

Publications (2)

Publication Number Publication Date
US20170146118A1 US20170146118A1 (en) 2017-05-25
US10221944B2 true US10221944B2 (en) 2019-03-05

Family

ID=54935394

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/319,025 Active 2035-09-21 US10221944B2 (en) 2014-06-18 2015-06-08 Vehicle-mounted control device or vehicle-mounted control system

Country Status (5)

Country Link
US (1) US10221944B2 (zh)
EP (1) EP3159220B1 (zh)
JP (1) JP6364486B2 (zh)
CN (1) CN106414179B (zh)
WO (1) WO2015194407A1 (zh)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3321135A4 (en) * 2015-07-07 2019-03-13 Hitachi Automotive Systems, Ltd. VEHICLE CONTROL DEVICE
JP6777641B2 (ja) * 2015-09-29 2020-10-28 日立オートモティブシステムズ株式会社 監視システム及び車両用制御装置
JP6651428B2 (ja) * 2016-09-28 2020-02-19 日立オートモティブシステムズ株式会社 変速機制御装置
JP6683104B2 (ja) * 2016-11-07 2020-04-15 株式会社デンソー 電子制御装置
JP6652103B2 (ja) * 2017-04-19 2020-02-19 株式会社デンソー 車両の自動運転制御システム
JP6874125B2 (ja) * 2017-04-25 2021-05-19 日立Astemo株式会社 電子制御装置
JP7024345B2 (ja) * 2017-11-21 2022-02-24 株式会社デンソー 電子制御装置
JP7135548B2 (ja) * 2018-08-01 2022-09-13 株式会社ジェイテクト 電源監視装置及び電源監視方法
CN113966492A (zh) * 2019-06-24 2022-01-21 日立安斯泰莫株式会社 车载控制装置
JP7415364B2 (ja) 2019-08-02 2024-01-17 株式会社オートネットワーク技術研究所 車載中継装置、コンピュータプログラム及び故障判定方法
JP7063312B2 (ja) * 2019-09-27 2022-05-09 株式会社デンソー 電子制御装置

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06351077A (ja) 1993-06-10 1994-12-22 Mazda Motor Corp 多重伝送装置
DE102006024923A1 (de) 2005-06-01 2006-12-07 Toyota Jidosha K.K., Toyota Elektronische Steuerungsvorrichtung für ein Fahrzeug
WO2008015537A2 (en) 2006-08-03 2008-02-07 Toyota Jidosha Kabushiki Kaisha Diagnostic system for automatic transmission
JP2008088885A (ja) 2006-10-02 2008-04-17 Denso Corp 内燃機関の制御装置
US20080238192A1 (en) 2007-03-28 2008-10-02 Mitsubishi Electric Corporation Power feed control circuit for on-vehicle electronic control apparatuses
JP2009196453A (ja) 2008-02-20 2009-09-03 Denso Corp スイッチ手段の故障検出装置
JP2012107655A (ja) 2010-11-15 2012-06-07 Denso Corp シフトバイワイヤシステム
JP2013006454A (ja) 2011-06-22 2013-01-10 Autonetworks Technologies Ltd 電源制御システム、電源制御装置及び電源制御方法
JP2013024266A (ja) 2011-07-16 2013-02-04 Denso Corp 車載制御システム
US20130253786A1 (en) * 2010-12-06 2013-09-26 Toyota Jidosha Kabushiki Kaisha Control apparatus for vehicular automatic transmission
US20130267381A1 (en) * 2010-12-25 2013-10-10 Toyota Jidosha Kabushiki Kaisha Control apparatus for vehicular automatic transmission
JP2014091340A (ja) 2012-10-31 2014-05-19 Hitachi Automotive Systems Ltd 自動車用制御装置
US8786424B2 (en) * 2012-02-15 2014-07-22 Infineon Technologies Ag Error signal handling unit, device and method for outputting an error condition signal
US9218236B2 (en) * 2012-10-29 2015-12-22 Infineon Technologies Ag Error signal handling unit, device and method for outputting an error condition signal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5315155B2 (ja) * 2009-07-23 2013-10-16 日立オートモティブシステムズ株式会社 半導体素子制御装置、車載用電機システム
JP2012192754A (ja) * 2011-03-15 2012-10-11 Omron Automotive Electronics Co Ltd 車載機器制御装置

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06351077A (ja) 1993-06-10 1994-12-22 Mazda Motor Corp 多重伝送装置
DE102006024923A1 (de) 2005-06-01 2006-12-07 Toyota Jidosha K.K., Toyota Elektronische Steuerungsvorrichtung für ein Fahrzeug
US20060276947A1 (en) * 2005-06-01 2006-12-07 Toyota Jidosha Kabushiki Kaisha Electronic control apparatus for vehicle
JP2006335183A (ja) 2005-06-01 2006-12-14 Toyota Motor Corp 車両の電子制御装置
WO2008015537A2 (en) 2006-08-03 2008-02-07 Toyota Jidosha Kabushiki Kaisha Diagnostic system for automatic transmission
JP2008088885A (ja) 2006-10-02 2008-04-17 Denso Corp 内燃機関の制御装置
US20080238192A1 (en) 2007-03-28 2008-10-02 Mitsubishi Electric Corporation Power feed control circuit for on-vehicle electronic control apparatuses
JP2008240684A (ja) 2007-03-28 2008-10-09 Mitsubishi Electric Corp 車載電子制御装置の給電制御回路
JP2009196453A (ja) 2008-02-20 2009-09-03 Denso Corp スイッチ手段の故障検出装置
JP2012107655A (ja) 2010-11-15 2012-06-07 Denso Corp シフトバイワイヤシステム
US20130253786A1 (en) * 2010-12-06 2013-09-26 Toyota Jidosha Kabushiki Kaisha Control apparatus for vehicular automatic transmission
US20130267381A1 (en) * 2010-12-25 2013-10-10 Toyota Jidosha Kabushiki Kaisha Control apparatus for vehicular automatic transmission
JP2013006454A (ja) 2011-06-22 2013-01-10 Autonetworks Technologies Ltd 電源制御システム、電源制御装置及び電源制御方法
DE112012002587T5 (de) 2011-06-22 2014-04-03 Autonetworks Technologies, Ltd. Stromquellen-Steuersystem, Stromquellen-Steuereinrichtung und Stromquellen-Steuerverfahren
US20140121901A1 (en) 2011-06-22 2014-05-01 Autonetworks Technologies, Ltd. Electrical power supply control system, electrical power supply control device, and electrical power supply control method
JP2013024266A (ja) 2011-07-16 2013-02-04 Denso Corp 車載制御システム
US8786424B2 (en) * 2012-02-15 2014-07-22 Infineon Technologies Ag Error signal handling unit, device and method for outputting an error condition signal
US9218236B2 (en) * 2012-10-29 2015-12-22 Infineon Technologies Ag Error signal handling unit, device and method for outputting an error condition signal
JP2014091340A (ja) 2012-10-31 2014-05-19 Hitachi Automotive Systems Ltd 自動車用制御装置

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Extended European Search Report issued in counterpart European Application No. 15809855.8 dated Jan. 22, 2018 (eight pages).
International Search Report (PCT/ISA/210) issued in PCT Application No. PCT/JP2015/066433 dated Aug. 11, 2015 with English-language translation (three (3) pages).
Japanese-language Office Action issued in counterpart Japanese Application No. 2016-529248 dated Nov. 21, 2017 with English translation (six (6) pages).
Japanese-language Written Opinion (PCT/ISA/237) issued in PCT Application No. PCT/JP2015/066433 dated Aug. 11, 2015 (four (4) pages).

Also Published As

Publication number Publication date
US20170146118A1 (en) 2017-05-25
CN106414179B (zh) 2019-12-06
WO2015194407A1 (ja) 2015-12-23
EP3159220A1 (en) 2017-04-26
JP6364486B2 (ja) 2018-07-25
EP3159220B1 (en) 2019-03-13
CN106414179A (zh) 2017-02-15
JPWO2015194407A1 (ja) 2017-04-20
EP3159220A4 (en) 2018-02-21

Similar Documents

Publication Publication Date Title
US10221944B2 (en) Vehicle-mounted control device or vehicle-mounted control system
JP5598499B2 (ja) 電池監視装置
EP3444624B1 (en) Apparatus for diagnosing relay failure of battery using parallel circuit for constant power supply and method thereof
WO2017056688A1 (ja) 監視システム及び車両用制御装置
JP2014105857A (ja) 油圧センサ故障診断方法及びシステム
US20180119804A1 (en) Vehicle control device
JP7172499B2 (ja) 電子制御装置
JP6334436B2 (ja) 車両用相互監視モジュール
JP5874445B2 (ja) 異常診断装置
CN104040224A (zh) 用于动力传动系部件的方法和控制器
JP2013504014A (ja) クラッチアクチュエータ
JP2010154594A (ja) 電子制御システムの故障診断装置
JP6380141B2 (ja) 電子制御装置
WO2021060546A1 (ja) 電子制御装置
JP6181011B2 (ja) 内燃機関の制御装置
US10718428B2 (en) Controller for vehicle transmission
CN109910613B (zh) 扭矩关断方法、扭矩关断系统和车辆
JP2016142141A (ja) 車両用電子制御装置
JP6651428B2 (ja) 変速機制御装置
JP6473072B2 (ja) 車両制御装置
US20220355668A1 (en) On-vehicle control device
KR20120079640A (ko) 뉴트럴 스위치 고장 진단 시스템 및 그 방법
WO2017010490A1 (ja) 低電圧異常判定装置及び低電圧異常判定方法
KR101535860B1 (ko) 자동변속기 차량에 대한 시동제어장치 및 그 방법
JP2016048083A (ja) 非常用スイッチの診断装置および変速制御システム

Legal Events

Date Code Title Description
AS Assignment

Owner name: HITACHI AUTOMOTIVE SYSTEMS, LTD., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OKUBO, SATORU;MASUDA, KENJI;REEL/FRAME:040993/0180

Effective date: 20161110

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
AS Assignment

Owner name: HITACHI ASTEMO, LTD., JAPAN

Free format text: CHANGE OF NAME;ASSIGNOR:HITACHI AUTOMOTIVE SYSTEMS, LTD.;REEL/FRAME:056299/0447

Effective date: 20210101

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4